1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

svshost.exe - taking over my computer?

Discussion in 'Virus & Other Malware Removal' started by Ice4, Oct 8, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Ice4

    Ice4 Thread Starter

    Joined:
    Oct 8, 2007
    Messages:
    131
    While online tonight, a window popped up briefly enough for me to read WINNT and 32, then my internet connection lit up even though I wasn’t pushing any buttons. I checked my task manager, and it said an application n1 was running, and a process svshost.exe was very active. I immediately unplugged my internet connection and n1 disappeared, though svshost.exe continued. At this point I realized that my firewall (Kerio Free, which doesn’t always startup automatically) wasn’t on, so I turned it on. I went back online, and the same thing happened again: WINNT window flashed briefly, application n1 appeared in task manager, along with another application, something-something-browse, and in processes svshost continued to run, along with aff.exe and rvv.exe. I unplugged my internet connection and all but svshost went away.

    I ran a scan of the entire WINNT folder with AVG Free, then scanned with both AdAware and Spybot, though both have not been updated in some time (I didn’t want to go back online, since I don’t know what risks I’m taking with this bug - I'm using a different computer right now). AdAware found one item, which I don’t remember, but it was a tracking cookie. Spybot found a bunch more tracking cookies (WebTrends live, BFast, DoubleClick, HitBox, HitsLink, MediaPlex, Statcounter, Tradedoubler, and Zedo) and the following I’ve never seen before during a scan:
    Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify
    Microsoft.WindowsSecurityCenter.AntiVirusOverride
    Microsoft.WindowsSecurityCenter.FirewallDisabled
    Microsoft.WindowsSecurityCenter.FirewallDisabledNotify
    Microsoft.WindowsSecurityCenter.FirewallOverride
    Microsoft.WindowsSecurityCenter.SP2Update
    Microsoft.WindowsSecurityCenter.UpdateDisableNotify
    Microsoft.WindowsSecurityCenter_disabled

    Spybot says it fixed these problems, but the task manager indicates that svshost is still running, though seems to be using a little less CPU than before, while my firewall is using up most of the rest.

    I was going to do a scan with the AVG AS (formerly Ewido) and Kaspersky online scanners, but since this bug seems to be very active the moment I'm online, I wonder if I need to stay offline and figure out how to remove it manually?

    I tried to search for svshost on my computer to see if I could tell when it was created, but Windows Explorer told me the file couldn't be accessed offline, and asked whether I wanted to connect (I clicked on "stay offline"). I tried some other searches and there were a lot of things it didn't find even though I was looking at the file right in front of me. Every once in a while it opened up a notepad, but mostly it either ignored my query, or told me that whatever I was looking for (including complete gibberish) couldn't be accessed offline.

    I poked around a bit manually to see if I could find any files that have been modified lately without my knowledge, and found that the drivers file in WINNT/system32 was modified around the time of the second attack tonight, though I see no evidence in the folder itself. Also in system32, a file called "i", which has a Windows logo, was created just before the attack.

    I looked up svshost on the internet, and it appears to be a virus, though there are the usual warnings about being careful when messing with the operating system, since some bugs use the names of necessary programs. So I'm wonder if this is definitely a bug, or is there a possibility that this is normal? I found only mention of it as a bug, no explanation of how it might be useful. I tried to end the process in my task manager, but it told me "Unable to Terminate Process - The operation could not be completed. Access is denied" and the screen went black for a moment.

    I've looked through this and other forums, but I'm simply not computer literate enough to make sense out of what little I was able to find about this process. I have an added limitation because my computer is very low on memory, only 128 MB RAM (and will never be more than 256, since that's all my laptop can take, though at the moment I can't afford to even upgrade to that, as I live way below the poverty line), so downloading a lot of programs isn't an option for me anymore. I can only download very very small programs.

    I've noticed that on almost all the support forums I've visited people are posting HijackThis logs. I'm sorry, but I don't know what that is, and whether or not this is something I'm equipped to provide. Could someone please help me with this? I'm largely housebound due to disability and rely quite heavily on this equally disabled little machine for day to day functioning.

    Thanx so much.


    P.S. I'm on a laptop running Windows 2000 Pro, with 128 MB RAM, with Sunbelt/Kerio free firewall, AVG Free, AdAware, Spybot S&D, using Firefox with Adblock and SiteAdvisor.
     
  2. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,852
    go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu.
    Click on the entry in start menu to run HijackThis
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. Ice4

    Ice4 Thread Starter

    Joined:
    Oct 8, 2007
    Messages:
    131
    Thanks for the easily understandable instructions. Much appreciated. Here’s the log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:57:08 AM, on 10/9/2007
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\svshost.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\WINNT\System32\taskmgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [LifeScape Media Detector] C:\My Downloads\Picasa\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/235c88303fba5514c902/netzip/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124268309540
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
    O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    O23 - Service: Storage Accounts Manager - Unknown owner - C:\WINNT\system32\svshost.exe

    --
    End of file - 4269 bytes

    FYI:
    While I downloaded HijackThis, svshost went back in motion, same window opened, the two applications n1 and browse started running. I stopped task on both applications and they didn’t come back until I logged on again to send this and the same thing happened again. I had to re-log in later because this forum wasn't up and running, and when it happened again, browse ran again, but this time the other application was just called 1.

    Thanx for helping me.
     
  4. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,852
    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
     
  5. Ice4

    Ice4 Thread Starter

    Joined:
    Oct 8, 2007
    Messages:
    131
    Wow. That was fascinating. Everything's running much smoother.

    Here's the SDFix Report:


    SDFix: Version 1.107

    Run by ICE4 on Tue 10/09/2007 at 2:45a

    Microsoft Windows 2000 [Version 5.00.2195]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...


    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\dmgr.exe - Deleted
    C:\WINNT\regedit.com - Deleted
    C:\WINNT\system32\i - Deleted
    C:\WINNT\system32\svshost.exe - Deleted
    C:\WINNT\system32\TFTP1380 - Deleted
    C:\WINNT\system32\TFTP672 - Deleted



    Removing Temp Files...

    ADS Check:

    C:\WINNT
    No streams found.

    C:\WINNT\system32
    No streams found.

    C:\WINNT\system32\svchost.exe
    No streams found.

    C:\WINNT\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    Remaining Services:
    ------------------




    Remaining Files:
    ---------------

    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    Mon 24 Sep 2007 95,232 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0001.tmp"
    Thu 14 Sep 2006 54,272 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0003.tmp"
    Wed 20 Dec 2006 61,952 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0034.tmp"
    Wed 26 Jul 2006 50,176 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0039.tmp"
    Thu 7 Jun 2007 83,968 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0042.tmp"
    Sun 14 Jan 2007 65,024 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0119.tmp"
    Fri 22 Dec 2006 466,944 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0236.tmp"
    Fri 22 Dec 2006 388,096 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0284.tmp"
    Thu 5 Oct 2006 62,976 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0328.tmp"
    Mon 14 May 2007 73,728 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0588.tmp"
    Thu 5 Oct 2006 62,464 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0653.tmp"
    Thu 23 Aug 2007 86,528 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0679.tmp"
    Thu 5 Oct 2006 62,976 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0724.tmp"
    Mon 7 Nov 2005 79,360 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0787.tmp"
    Thu 5 Oct 2006 64,512 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0797.tmp"
    Wed 13 Dec 2006 963,072 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0998.tmp"
    Mon 7 Nov 2005 78,848 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL1084.tmp"
    Mon 24 Sep 2007 94,720 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL1301.tmp"
    Thu 17 May 2007 9,874,432 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL1335.tmp"
    Wed 6 Jun 2007 86,528 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL1579.tmp"
    Thu 23 Aug 2007 87,040 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL1682.tmp"
    Thu 7 Jun 2007 83,968 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL1684.tmp"
    Mon 28 May 2007 79,872 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL1709.tmp"
    Mon 7 Nov 2005 6,951,936 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL1832.tmp"
    Fri 22 Dec 2006 359,936 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL2105.tmp"
    Thu 14 Sep 2006 54,784 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL2193.tmp"
    Thu 23 Aug 2007 88,064 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL2202.tmp"
    Fri 22 Dec 2006 872,448 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL2428.tmp"
    Fri 22 Dec 2006 429,568 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL2437.tmp"
    Fri 28 Oct 2005 163,840 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL2684.tmp"
    Thu 7 Jun 2007 86,528 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL2758.tmp"
    Sun 4 Mar 2007 70,656 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL2796.tmp"
    Thu 5 Oct 2006 63,488 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL2903.tmp"
    Thu 5 Oct 2006 62,976 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3036.tmp"
    Thu 3 Nov 2005 6,982,656 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3076.tmp"
    Mon 7 Nov 2005 79,360 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3228.tmp"
    Thu 21 Dec 2006 62,976 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3229.tmp"
    Fri 22 Dec 2006 359,424 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3313.tmp"
    Sat 13 Jan 2007 62,464 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3519.tmp"
    Thu 5 Oct 2006 61,952 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3607.tmp"
    Wed 6 Jun 2007 488,960 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3635.tmp"
    Sun 11 Feb 2007 64,512 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3685.tmp"
    Mon 24 Sep 2007 92,672 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3783.tmp"
    Fri 6 Oct 2006 40,448 A..H. --- "C:\Documents and Settings\XYZ\My Documents\MCS\~WRL2947.tmp"
    Fri 16 Dec 2005 54,784 A..H. --- "C:\Documents and Settings\XYZ\My Documents\MCS\~WRL3802.tmp"
    Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
    Sat 30 Jul 2005 19,968 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0003.tmp"
    Wed 26 Jul 2006 51,712 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0004.tmp"
    Fri 22 Dec 2006 972,288 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0011.tmp"
    Sun 30 Oct 2005 2,870,784 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0040.tmp"
    Sun 11 Dec 2005 711,168 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0055.tmp"
    Sat 11 Mar 2006 1,503,744 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0080.tmp"
    Sun 2 Apr 2006 51,712 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0119.tmp"
    Sun 11 Dec 2005 314,368 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0130.tmp"
    Fri 22 Dec 2006 817,152 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0137.tmp"
    Fri 7 Sep 2007 2,712,064 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0144.tmp"
    Thu 5 Oct 2006 63,488 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0164.tmp"
    Fri 7 Sep 2007 5,272,064 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0188.tmp"
    Sun 29 Apr 2007 27,136 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0208.tmp"
    Sun 30 Oct 2005 8,193,536 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0264.tmp"
    Tue 18 Jan 2005 573,440 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0291.tmp"
    Fri 22 Dec 2006 971,264 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0331.tmp"
    Thu 21 Dec 2006 61,440 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0423.tmp"
    Sat 30 Jul 2005 22,528 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0437.tmp"
    Mon 19 Dec 2005 17,742,848 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0452.tmp"
    Thu 6 Apr 2006 24,064 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0560.tmp"
    Thu 23 Aug 2007 173,568 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0651.tmp"
    Fri 22 Dec 2006 760,832 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0727.tmp"
    Sun 30 Oct 2005 523,776 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0800.tmp"
    Fri 14 Jul 2006 409,600 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0857.tmp"
    Thu 23 Aug 2007 88,064 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0891.tmp"
    Sun 2 Apr 2006 44,032 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1106.tmp"
    Sun 2 Apr 2006 45,568 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1108.tmp"
    Fri 22 Dec 2006 970,752 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1120.tmp"
    Fri 27 Jul 2007 329,728 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1184.tmp"
    Fri 22 Dec 2006 969,728 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1204.tmp"
    Fri 22 Dec 2006 969,728 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1206.tmp"
    Wed 12 Oct 2005 58,880 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1212.tmp"
    Sun 2 Apr 2006 73,728 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1213.tmp"
    Thu 14 Jun 2007 803,840 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1234.tmp"
    Fri 22 Dec 2006 970,752 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1246.tmp"
    Fri 6 Oct 2006 35,328 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1249.tmp"
    Thu 23 Aug 2007 88,064 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1295.tmp"
    Thu 14 Jun 2007 163,840 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1310.tmp"
    Wed 26 Jul 2006 19,456 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1356.tmp"
    Wed 12 Oct 2005 41,984 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1361.tmp"
    Sun 11 Dec 2005 616,960 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1373.tmp"
    Sun 29 Apr 2007 71,168 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1390.tmp"
    Sun 2 Apr 2006 45,568 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1394.tmp"
    Sun 2 Apr 2006 36,864 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1510.tmp"
    Mon 14 May 2007 74,240 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1517.tmp"
    Fri 22 Dec 2006 64,000 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1566.tmp"
    Sun 2 Apr 2006 28,160 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1598.tmp"
    Mon 7 Nov 2005 6,928,384 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1693.tmp"
    Sat 30 Jul 2005 22,016 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1733.tmp"
    Fri 7 Sep 2007 4,632,064 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1739.tmp"
    Fri 22 Dec 2006 372,736 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1796.tmp"
    Fri 22 Dec 2006 63,488 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1843.tmp"
    Fri 7 Sep 2007 2,712,064 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1928.tmp"
    Sat 11 Mar 2006 1,173,504 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2042.tmp"
    Thu 6 Apr 2006 23,040 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2071.tmp"
    Sun 2 Apr 2006 50,176 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2081.tmp"
    Sun 30 Oct 2005 1,133,056 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2100.tmp"
    Sun 11 Dec 2005 369,664 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2117.tmp"
    Fri 7 Sep 2007 37,376 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2136.tmp"
    Sun 2 Apr 2006 29,696 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2359.tmp"
    Thu 5 Oct 2006 35,328 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2413.tmp"
    Sun 11 Dec 2005 611,840 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2500.tmp"
    Thu 23 Aug 2007 724,480 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2517.tmp"
    Fri 22 Dec 2006 388,608 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2518.tmp"
    Wed 12 Oct 2005 45,056 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2589.tmp"
    Wed 12 Oct 2005 43,520 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2604.tmp"
    Sat 30 Jul 2005 21,504 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2663.tmp"
    Mon 19 Dec 2005 19,456 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2674.tmp"
    Fri 22 Dec 2006 962,048 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2734.tmp"
    Sun 29 Apr 2007 1,196,032 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2755.tmp"
    Sun 2 Apr 2006 27,136 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2761.tmp"
    Fri 22 Dec 2006 975,872 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2772.tmp"
    Wed 26 Jul 2006 1,566,208 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2835.tmp"
    Wed 12 Oct 2005 54,784 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2885.tmp"
    Sun 30 Oct 2005 524,288 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3070.tmp"
    Fri 27 Jul 2007 329,728 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3125.tmp"
    Wed 19 Jan 2005 587,776 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3207.tmp"
    Fri 13 Apr 2007 408,064 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3276.tmp"
    Sun 11 Dec 2005 710,656 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3440.tmp"
    Wed 12 Oct 2005 72,704 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3445.tmp"
    Sun 30 Oct 2005 8,193,536 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3475.tmp"
    Fri 22 Dec 2006 963,584 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3502.tmp"
    Thu 23 Aug 2007 56,832 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3710.tmp"
    Thu 14 Jun 2007 432,128 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3741.tmp"
    Fri 6 Oct 2006 166,400 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3815.tmp"
    Sun 30 Oct 2005 705,024 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3834.tmp"
    Wed 12 Oct 2005 44,032 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL4010.tmp"
    Sun 30 Oct 2005 6,708,224 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL4040.tmp"
    Sun 30 Oct 2005 6,707,712 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL4059.tmp"
    Tue 15 May 2007 47,616 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OTHER ISSUES\~WRL0074.tmp"
    Tue 15 May 2007 44,544 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OTHER ISSUES\~WRL0314.tmp"
    Wed 26 Jul 2006 1,073,152 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OTHER ISSUES\~WRL2009.tmp"
    Tue 15 May 2007 43,520 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OTHER ISSUES\~WRL2097.tmp"
    Tue 15 May 2007 45,568 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OTHER ISSUES\~WRL4085.tmp"
    Thu 12 Apr 2007 407,552 ...H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\WAR\~WRL0089.tmp"
    Wed 12 Oct 2005 56,320 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\WEBSITE\~WRL0236.tmp"
    Wed 12 Oct 2005 73,728 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\WEBSITE\~WRL0363.tmp"
    Wed 12 Oct 2005 74,752 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\WEBSITE\~WRL0652.tmp"
    Wed 12 Oct 2005 55,296 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\WEBSITE\~WRL0692.tmp"
    Sun 2 Apr 2006 46,080 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\WEBSITE\~WRL1282.tmp"
    Wed 12 Oct 2005 71,680 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\WEBSITE\~WRL1826.tmp"
    Wed 12 Oct 2005 55,296 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\WEBSITE\~WRL2351.tmp"
    Sun 2 Apr 2006 65,536 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\WEBSITE\~WRL2619.tmp"
    Fri 27 Jul 2007 1,184,768 ...H. --- "C:\Documents and Settings\XYZ\My Documents\Robin\Misc for Robin\~WRL2760.tmp"
    Thu 6 Sep 2007 10,845,696 ...H. --- "C:\Documents and Settings\XYZ\My Documents\Robin\Robin's Garden\~WRL3597.tmp"
    Thu 13 Jul 2006 276,480 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OAKLAND HILLS WPAD\2006 - Documents\~WRL1633.tmp"
    Thu 13 Jul 2006 279,552 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OAKLAND HILLS WPAD\2006 - Documents\~WRL1944.tmp"
    Thu 13 Jul 2006 119,296 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OAKLAND HILLS WPAD\2006 - Documents\~WRL3835.tmp"
    Thu 31 Mar 2005 323,072 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OAKLAND HILLS WPAD\CITY\~WRL1239.tmp"
    Sun 27 Mar 2005 597,504 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OAKLAND HILLS WPAD\GROUPS\~WRL3904.tmp"




    Finished!



    HijackThis Log:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:16:16 AM, on 10/9/2007
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    C:\WINNT\system32\notepad.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\My Downloads\Picasa\PicasaMediaDetector.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\WINNT\System32\taskmgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [LifeScape Media Detector] C:\My Downloads\Picasa\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/235c88303fba5514c902/netzip/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124268309540
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E3EC632F-B653-4D58-B57C-AD381ECECB0C}: NameServer = 216.126.136.250 216.126.128.40
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
    O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    O23 - Service: Storage Accounts Manager - Unknown owner - C:\WINNT\system32\svshost.exe (file missing)

    --
    End of file - 4402 bytes


    Everything looks normal now... Is it fixed?

    SDFix said to run CatchMe next. There's an icon on my desktop called catchme. Do I do anything with it?
     
  6. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,852
    double click the catchme icon & post back the log it makes also

    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
    • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
      • In the Processes group click Non-Microsoft
      • In the Win32 Services group click Non-Microsoft
      • In the Driver Services group click Non-Microsoft
      • In the Registry group click ALL
      • In the Files Created Within group click 30 days Make sure Non-Microsoft only is CHECKED
      • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is CHECKED
      • In the File String Search group select ALL
      in the Additional scans sections please press select all and then unselect event viewer. uncheck non-microsoft only
    • Now click the Run Scan button on the toolbar.
    • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Save that notepad file
    Use the Reply button and attach the notepad file here . I will review it when it comes in.
     
  7. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,852
    please do as I asked in my last post & attach the report

    this forum software mangles some entries in these logs when pasted so we cannot use it to do a fix if we find anything
     
  8. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,852
    Download this tool to your desktop:
    http://www.uploads.ejvindh.net/rootchk.exe
    Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread.

    Notice: Some security-programs prevent the creation of dummy drivers with certain names. This may cause false positives. If the log of rootchk contains a lot of hidden drivers, you may want to turn of your security programs while rootchk is scanning (you should then unhook your network connection as well)
     
  9. Ice4

    Ice4 Thread Starter

    Joined:
    Oct 8, 2007
    Messages:
    131
    Oh, sorry. I didn't register that you wanted me to attach it rather than paste it. I haven't done that before here, so hopefully both of the files you asked for previously are attached now...

    I'll run the rootkit thing next...
     

    Attached Files:

  10. Ice4

    Ice4 Thread Starter

    Joined:
    Oct 8, 2007
    Messages:
    131
    I don't see whether or not the attachment is actually attached. I'm assuming it's only visible to you? I deleted the mangled pasted posts, since it takes forever to load this page with them, and with the attachment they should now be duplicates. It is also a bit much personal information to have pasted in a public forum for my taste. Hope that was okay.

    Here's the rootchk log


    ********************************* ROOTCHK-(21-09-07)-LOG, by ejvindh
    Thu 10/11/2007 15:47:53.21

    The rootkits that are detected by this tool were not found.

    ********************************* ROOTCHK-LOG-end


    catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-10-11 15:47:56
    Windows 5.0.2195
    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    hidden processes: 0
    hidden services: 0
    hidden files: 0
     
  11. Ice4

    Ice4 Thread Starter

    Joined:
    Oct 8, 2007
    Messages:
    131
    My AVG just found something related to what we're doing. I'm going to try to attach a screen shot, but am not sure I'm doing it right. In the manage attachments window it lists file under current attachments, but I see no evidence of it arriving on your end.

    In case it isn't attached, the test result says:

    Object: C:\WINNT\System32\drivers\etc\hosts
    Result: Change
    Status: Changed

    Object: C:\SDFix\backups\backups.zip:\backups\svshost.exe
    Result: Trojan horse IRC\BackDoor.SdBot3.TPR
    Status: Infected, Embedded object, Deleted

    Object: C:\SDFix\backups\backups.zip
    Status: Moved to Vault, Archive

    In the virus vault it says:

    Virus name: Trojan horse IRC/BackDoor.SdBot3.TPR
    Path: C:\SDFix\backups\backups.zip
    Date of detection: 10/11/2007 9:54:21PM
    Filename: backups.zip

    There are also previous entries, in case these are related (looks like some are versions of each other?):

    Virus name: Virus identified Worm/Nachi.A
    Path: C:\WINNT\system32\wins\DLLHOST.EXE
    Date of detection: 6/26/2007 10:29:26PM
    Filename: DLLHOST.EXE

    Trojan horse IRC\BackDoor.SdBot2.KYE
    Path: C:\WINNT\system32\setup_08136.exe
    Date of detection 7/2/2007 11:37:43PM
    Filename: setup_08136.exe

    Trojan horse IRC/BackDoor.SdBot3.CPT
    Path: C:\WINNT\system32\scricon.exe
    Date of detection: 7/10/2007 4:09:10AM
    Filename: scricon.exe
     

    Attached Files:

  12. Ice4

    Ice4 Thread Starter

    Joined:
    Oct 8, 2007
    Messages:
    131
    OK. I got it now. Apparently I have to leave that attachment window open until I'm done posting... Duh. Sorry about that. I have now noticeably attached the logs you asked for in post #9.
     
  13. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,852
    You can safely ignore the AVG findings, It ahs either dealt with them or has alerted on sdfix resettting the hosts file

    WinPFind3 Fix -


    Start WinPFind3U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

    Code:
    [Win32 Services - Non-Microsoft Only]
    YY -> (Storage Accounts Manager) Storage Accounts Manager [Win32_Own | Auto | Stopped] -> %System32%\svshost.exe
    [Registry - All]
    < Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
    YN -> ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    YN -> ShellBrowser\\{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    YN -> WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    YN -> WebBrowser\\{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    < Default Protocols [HKLM] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
    YN -> shell -> shell protocol not assigned
    < Default Protocols [HKCU] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
    YN -> shell -> shell protocol not assigned
    
    
    The fix should only take a very short time and then you may be asked if you want to reboot. Choose Yes. reboot manually if it doesn't prompt

    when it reboots


    Post the following back here:

    the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log)

    I will review the information when it comes back in.

    Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
     
  14. Ice4

    Ice4 Thread Starter

    Joined:
    Oct 8, 2007
    Messages:
    131
    Here's the new log:

    [Win32 Services - Non-Microsoft Only]
    Service Storage Accounts Manager stopped successfully.
    Service Storage Accounts Manager deleted successfully.
    File C:\WINNT\SYSTEM32\svshost.exe not found.
    [Registry - All]
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\\shell updated successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\\shell updated successfully.
    < End of log >
    Created on 10/14/2007 21:16:15

    No problems doing what you told me to. It didn't prompt me to reboot, but I did.

    After I rebooted, I noticed the rootchk icon on my desktop looked different. Before, it was an elaborate symbol, after, it was one of the little generic application boxes.

    Then, while I pasted this, AVG detected a threat, which it says it healed:
    Virus Name: Trojan horse Downloader.Zlob
    Path: C:\Documents and Settings\XYZ\Desktop\rootchk.exe

    After that the rootchk icon was gone altogether.

    Things have been running much smoother since I did that stuff in Safe Mode. I saw something flash on my screen once since then. Too fast to see what it was. No applications showed up in my Task Manager. I thought it could have been a pop-up, blocked by my adblock. And a couple of times my desktop went black for a moment, but I was overwhelming the system with a picture-heavy document, so figured that could have caused it, though it doesn't usually when I have such a document open.

    My Kerio firewall doesn't always start at startup, which I think might be a problem with their free version. It did start when I rebooted after this fix, but there's no way to tell yet if it will continue to act as before, or if it also got fixed.

    Could you give me some idea about preventing getting infected like this again? It looked to me like much of what's infected me this year was either the same type of virus repeatedly, or they were part of the same infection...? If I keep getting the same infection, is there any way to tell if it's something specific I'm doing that makes that happen?

    Also, could you tell me if it's safe to empty the AVG vault, or if it's better not to?

    Thanx so much for all your help.
     
  15. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,852
    Empty AVG vault as you have no ned torestore them

    Please download ATF Cleaner by Atribune
    This program is designed for XP and Windows 2000 only ( it should now run on 98/ME & Vista)

    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
    Then:
    If you use Firefox browser

    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Then:
    If you use Opera browser

    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.

    Turn off system restore by following instructions here
    http://www.thespykiller.co.uk/index.php?page=8
    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

    go here http://forums.techguy.org/t208517/s.html for info on how to tighten your security settings and how to help prevent future attacks.
    and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

    Then pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
    Please follow these steps to remove older version Java components and update.

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/635003